Europe wants to conquer the world all over again.
Only this time, its killer app isn’t steel or gunpowder. It’s an EU legal juggernaut aimed at imposing ever tougher privacy rules on governments and companies from San Francisco to Seoul.
When the region’s regulators roll out the changes — known as the General Data Protection Regulation, or GDPR — on May 25, it will represent the biggest overhaul of the world’s privacy rules in more than 20 years.
The new regulations offer EU citizens sweeping new powers over how their data can be collected, used and stored, presenting global leaders outside the 28-country block with a stark choice: bring their domestic laws in line with the EU’s new rules, or risk being shut out of a market of 500 million well-heeled consumers.
“Data protection is a good example of Europe trying to extend its influence over other countries,” said Christopher Kuner, co-chair of the Brussels Privacy Hub at the Vrije Universiteit Brussel. “Call it the ‘Brussels Effect.’”
“Any country that’s not working toward these standards is left out in the cold” — John Giles
For many countries, the choice is a no-brainer. Breaking commercial ties with the world’s largest trading bloc is unthinkable, and failing to comply brings the risk of hefty fines — up to €20 million or 4 percent of global revenue, whichever is higher — for any company with European customers that mishandles data.
In response, legislators worldwide are scrambling to update their domestic legislation to bend to Europe’s privacy rules. The data revamp will allow EU consumers to pull their data from a company at any time, force businesses to alert customers within three days if their data is hacked and let people move information to rival services at a drop of a hat.
The “Brussels effect” is mostly manageable for advanced economies like Japan, which last year set up an independent agency to handle privacy complaints to conform with Europe’s privacy standards during negotiations for a new Japan-EU trade deal.
But for emerging countries, the cost and administrative burden of applying the EU privacy standards can be daunting. In countries like South Africa, whose domestic legislation is primarily based on Europe’s rules, the upcoming data protection changes risks being viewed as yet another diktat handed down by former colonial powers in a form of “data imperialism.”
“Any country that’s not working toward these standards is left out in the cold,” said John Giles, managing attorney at Michalsons, a law firm in South Africa. “GDPR has long tentacles.”
Falling into line
For years, Europe has served as the world’s privacy police officer.
Since the mid-1990s, EU policymakers have rolled out a series of data protection rules that quickly became the de facto global standards for most countries except for a few holdouts like China, Russia and the United States.
But, as companies like Google, Facebook and Amazon vacuumed up more of people’s private information, European lawmakers upped the ante, intent on setting a new bar for data protection worldwide.
“We want to set the global standard,” Věra Jourová, the European commissioner for justice, told POLITICO last year. “Privacy is a high priority for us.”
Most multinational companies from Google to General Electric must comply with the new standards because of their existing activities in Europe. And smaller firms, even those currently with no operations in the EU, face a tough decision to either comply with the region’s stance on privacy or risk potential sanctions if European customers eventually sign up to their services.
For governments, the choice is often one of necessity. That’s particularly true as the EU now links potential free-trade agreements with demands that other countries adopt the region’s privacy standards through so-called “adequacy decisions.”
Israel and New Zealand are among a handful of international partners that have struck deals with the EU certifying that their data protection rules are equal to those of Europe. Only under those conditions can data — and billions of euros of trade — flow freely between the parties.
“We’re already seeing a number of countries falling in line with Europe” — Eduardo Ustaran
In Argentina, for instance, legal experts say that pending data protection reforms will put the Latin American country mostly on par with the EU’s new rules, including guarantees linked to the independence of the country’s privacy agency.
In Japan, which is still awaiting its own adequacy decision after signing a free-trade agreement with the EU in December, lawmakers also passed reforms last year that mirror many of Europe’s existing standards, such as imposing restrictions on international data transfers to countries whose own privacy rules do not offer equivalent protections.
Other countries, from Colombia to South Korea to the tiny island nation of Bermuda, are similarly rebooting domestic legislation. At times, that involves adopting European rules almost word for word.
“There’s no doubt it’s having an extraterritorial impact,” Eduardo Ustaran, co-director of the global privacy and cybersecurity practice at Hogan Lovells, a law firm that helped draft Bermuda’s data protection reforms, said in reference to Europe’s new privacy standards. “We’re already seeing a number of countries falling in line with Europe.”
For other countries, working out how to comply can be more fraught.
In late 2016, for instance, Pansy Tlakula became chairperson of South Africa’s Information Regulator, a newly created data protection agency to enforce local standards that both protect people’s privacy rights and educate companies on what they can, and cannot, do with individuals’ personal data.
While the country’s data protection rules are primarily based on those of Europe, Tlakula said that South Africa’s own circumstances — including not overly burdening local small businesses without the budgets or know-how to follow complicated privacy rules — would take priority over following standards created for others with deeper pockets to tackle potential abuse.
“We regard Europe’s directives as best practice,” she said in an interview last year. “But whatever systems we put in place need to be affordable.”
When countries resist, Europe is ready to turn the economic screws.
U.S. policymakers argue that American data protection standards, enshrined in the constitution and enforced aggressively by the Federal Trade Commission, do more to guard against misuse than European standards, which often can be more bark than bite.
But that didn’t stop Europe’s highest court from tearing up a 15-year-old data-transfer agreement in 2015 between the region and the United States after judges ruled that American authorities did not fully protect EU citizens’ data when transferred across the Atlantic.
As Europe’s new privacy standards kick in over the coming months, Europe is expected to use its economic muscle to cajole others to follow suit.
“Europe wanted to be seen selling a global standard,” said John Bowman, former lead negotiator for the U.K. government on Europe’s new data protection rules, who is now a senior principal at Promontory, a regulatory compliance firm in London. “That’s crystallized through its adequacy decisions.”
“In terms of regulatory influence, Europe is definitely a superpower” — Christopher Kuner
In Canada, whose own adequacy decision will be reviewed by 2022, officials remain wary of overhauling their domestic rules to mimic Europe — although politicians held a series of parliamentary hearings last year to discuss a potential revamp in case the country’s privacy deal with the EU would be put at risk.
“Canada is taking a wait-and-see approach,” said Chantal Bernier, a former Canadian privacy commissioner who now works in the privacy and cybersecurity practice at Dentons, a law firm, in Ottawa. “There’s a possibility of Canada losing adequacy” as Europe’s rules come into effect.
Should that happen, few would be surprised if Canada quickly rewrote its laws to conform with what the EU wants.
“This is part of Europe’s exporting its soft power,” said Kuner, the co-chair of the Brussels Privacy Hub. “In terms of regulatory influence, Europe is definitely a superpower.”
This article has been updated to correct the name of the managing attorney at Michalsons, John Giles.